Postfix – whitelisting and spf filtering

Postfix – whitelisting and spf filtering

The whitelist will allow me to manually allow any mail servers to bypass the spf filtering and RBL(Real-time Blacklists) lists.

What does SPF filtering do? Suppose a spammer forges a Hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: , but you don’t have to take his word for it. You can ask Hotmail if the IP address comes from their network.
(In this example) Hotmail publishes an SPF record. That record tells you how to find out if the sending machine is allowed to send mail from Hotmail. If Hotmail says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it’s a forgery. That’s how you can tell it’s probably a spammer.

Now time to start setting everything, for the spf filtering we need to install a few packages so start with

yum –enable epel install python-dns python-pydns

we also need “pyspf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)

#wget http://sourceforge.net/projects/pymilter/files/pyspf/pyspf-2.0.5/pyspf-2.0.5.tar.gz/download
#tar xvfz pyspf-2.0.5.tar.gz
#cd pyspf-2.0.5/
#python setup.py build
#python setup.py install

Finally we need “pypolicyd-spf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)

#wget http://launchpad.net/pypolicyd-spf/0.8/0.8.0/+download/pypolicyd-spf-0.8.0.tar.gz
#tar xvfz pypolicyd-spf-0.8.0.tar.gz
#cd pypolicyd-spf-0.8.0/
#python setup.py build
#python setup.py install

Now everything is install I need to tell postfix to use it. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”

Now find “smtpd_recipient_restrictions = “, and add “check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf,” after “reject_unauth_destination,”
It is important that you add it AFTER reject_unauth_destination or else your system can become an open relay!
It should look like this.

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit

Now I need to edit “/etc/postfix/master.cf”. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” and select “master.cf” from the drop box at the top.

Now i add at the end

policyd-spf unix – n n – 0 spawn
user=nobody argv=/usr/bin/policyd-spf

The leading spaces before user=nobody are important so Postfix knows this line belongs to the previous one.

The last thing i need to do is create the whitelist file, so login as root

#cd /etc/postfix
#vi /etc/postfix/rbl_override_whitelist

Then add all ip addresses or hostname that you want whitelisted (one per line only)
here what it should look like

1.2.3.4 OK
mail.example.net OK

After you create/modify the file you need to run

#postmap /etc/postfix/rbl_override_whitelist

Finally restart postfix

#/etc/init.d/postfix restart

Now send a test message from an external email account to test, if the email doesn’t arrive check the logs for any errors (something you should do regularly anyway).

Hopefully everything is working fine and you should start seeing a drop in forged emails, don’t forget to create a spf record for your domain so other servers can check your emails. There is a easy to use wizard to help create the record for you.
This is what my record looks like

v=spf1 a ip4:195.242.236.240 ip4:85.234.148.232/30 ip4:85.234.148.236 ip6:2001:470:1f09:d2b::/64 ip6:2001:470:1f09:81e::/64 -all

It basically lists all the ip address that are allowed to send email for my domain and says reject everything else.
If you wanna check if a particulate site has an spf record or you want to check if its working correctly, you can check from http://www.kitterman.com/spf/validate.html